The invention is based on a priority application EP08290395.6 which is hereby incorporated by reference.
The invention relates to a method and to a protection unit for protecting a packet-based network from attacks, to a security border node for a packet-based network comprising such a protection unit, as well as to a packet-based network comprising at least two such protection units.
The invention is related to the protection of packet-based networks such as communication/computer networks, in particular core networks, against any kinds of attacks. A core network may be implemented using the TISPAN (Telecoms & Internet converged Services & Protocols for Advanced Networks), resp. next generation network (NGN) architecture with an IMS (IP multimedia subsystem) using application layer control (signalling) protocols such as the Session Initiation Protocol (SIP) for creating, modifying, and terminating sessions with one or more participants. In such a core network, attacks can occur on different layers (IP, transport, up to the application layer) and the attack strategy can vary. In particular, the application protocol stacks in the border nodes of a core network are highly jeopardized and therefore need a protection mechanism to achieve the requested high availability of the whole system, especially for well behaving users/devices. It is understood that the invention is not limited to NGN/IMS/TISPAN network with SIP signalling, but pertains to all types of IP networks, using other types of signalling protocols, e.g. SOAP (Simple Object Access Protocol).
A core network 1 of the type described above is shown in FIG. 1. The core network 1 has multiple (security) border nodes 2a to 2f for connecting the core network 1 to access networks 3 which are themselves connected to end user equipment 4. Some of the border nodes 2a to 2f may also be used to connect the core network 1 to other core networks (not shown). In the border nodes 2a to 2f, a security policy needs to be applied that immediately identifies valid from potentially dangerous traffic. Identified fraud traffic needs to be blocked (by providing an identifying sequence of data or another identifying signature pattern), also referred to as a signature in the following.
Current security solutions are either based on signature detection which is fast but not adaptive to new attack patterns or/and use classification based detection algorithms which are adaptive but cause high processing load. Moreover, security strategies are currently concentrated on a single, individual Session Border Controller (SBC) or security border node, respectively.